[ClusterLabs] PCS ACL for the "pcs cluster stop" command

Miroslav Lisik mlisik at redhat.com
Mon Oct 16 08:29:52 EDT 2023 


On 10/16/23 12:16, Klaus Wenninger wrote:
> 
> 
> On Fri, Oct 13, 2023 at 9:21 PM Reid Wahl <nwahl at redhat.com 
> <mailto:nwahl at redhat.com>> wrote:
> 
>     On Fri, Oct 13, 2023 at 12:19 PM Reid Wahl <nwahl at redhat.com
>     <mailto:nwahl at redhat.com>> wrote:
>      >
>      > On Fri, Oct 13, 2023 at 9:56 AM Roberto Rodrigos
>     <robson2445 at gmail.com <mailto:robson2445 at gmail.com>> wrote:
>      > >
>      > > good day!
>      > > I use the configuration to create an ACL, it is shown below.
>     How can I restrict access to the "pcs cluster stop" command for a user?
>      >
>      > I don't think you can. ACLs are implemented in Pacemaker; pcs simply
>      > provides an interface to manage them.
>      >
>      > `pcs cluster stop` basically runs `systemctl stop pacemaker;
>     systemctl
>      > stop corosync`. So it doesn't interact with the Pacemaker ACLs. It
>      > just stops the service.
> 
>     In my experience only the root user can run `pcs cluster stop`
>     successfully anyway
> 
> 
> Haven't actually tried it but in a setup running pcsd stop commands would
> run in the context of pcsd and so it might still be possible to trigger 
> commands
> by a non root user which wouldn't work being called directly.
> 
> Klaus
> 
Every user in haclient group with default pcsd permissions for haclient
group can run such commands like `pcs cluster stop` except `pcs cluster
node add` after authentication to the local pcsd.

[user at hostname ~]$ groups
user haclient
[user at hostname ~]$ pcs cluster stop
Warning: Unable to read the known-hosts file: No such file or directory: 
'/home/user/.pcs/known-hosts'
Error: Unable to authenticate against the local pcsd. Run the same 
command as root or authenticate yourself to the local pcsd using command 
'pcs client local-auth'
[user at hostname ~]$ pcs client local-auth -u user
Password:
localhost: Authorized
[user at hostname ~]$ pcs cluster stop
Stopping Cluster (pacemaker)...
Stopping Cluster (corosync)...
> 
>      >
>      > > useradd rouser -m -G haclient
>      > > useradd rwuser -m -G haclient
>      > > passwd rwuser
>      > > passwd rouser
>      > > pcs acl enable
>      > > pcs acl role create read-only description="Read access to
>     cluster" read xpath /cib
>      > > pcs acl role create write-access description="Full access"
>     write xpath /cib
>      > > pcs acl permission add write_config write xpath /cib/configuration
>      > > pcs acl permission add write_config write xpath
>     //crm_config//nvpair[@name='maintenance-mode']
>      > > pcs acl permission add write_config write xpath
>     //nvpair[@name='maintenance']
>      > > pcs acl permission add write_config write xpath //resources
>      > > pcs acl permission add write_config write xpath //constraints
>      > > pcs acl user create rouser read-only
>      > > pcs acl user create rwuser write-access
>      > > pcs acl role assign read-only to rouser
>      > > pcs acl role assign write_config to rwuser
>      > >
>      > > User: rouser
>      > >   Roles: read-only
>      > > User: rwuser
>      > >   Roles: write-access write_config
>      > > Role: read-only
>      > >   Description: Read access to cluster
>      > >   Permission: read xpath /cib (read-only-read)
>      > > Role: write-access
>      > >   Description: Full access
>      > >   Permission: write xpath /cib (write-access-write)
>      > > Role: write_config
>      > >   Permission: write xpath /cib/configuration (write_config-write)
>      > >   Permission: write xpath
>     //crm_config//nvpair[@name=maintenance-mode] (write_config-write-1)
>      > >   Permission: write xpath //nvpair[@name=maintenance]
>     (write_config-write-2)
>      > >   Permission: write xpath //resources (write_config-write-3)
>      > >   Permission: write xpath //constraints (write_config-write-4)
>      > >
>      > > su rouser
>      > > Username: rouser
>      > > Password:
>      > > localhost: Authorized
>      > > pcs cluster stop
>      > > Stopping Cluster (pacemaker)...
>      > > Stopping Cluster (corosync)...
>      > >
>      > > _______________________________________________
>      > > Manage your subscription:
>      > > https://lists.clusterlabs.org/mailman/listinfo/users
>     <https://lists.clusterlabs.org/mailman/listinfo/users>
>      > >
>      > > ClusterLabs home: https://www.clusterlabs.org/
>     <https://www.clusterlabs.org/>
>      >
>      >
>      >
>      > --
>      > Regards,
>      >
>      > Reid Wahl (He/Him)
>      > Senior Software Engineer, Red Hat
>      > RHEL High Availability - Pacemaker
> 
> 
> 
>     -- 
>     Regards,
> 
>     Reid Wahl (He/Him)
>     Senior Software Engineer, Red Hat
>     RHEL High Availability - Pacemaker
> 
>     _______________________________________________
>     Manage your subscription:
>     https://lists.clusterlabs.org/mailman/listinfo/users
>     <https://lists.clusterlabs.org/mailman/listinfo/users>
> 
>     ClusterLabs home: https://www.clusterlabs.org/
>     <https://www.clusterlabs.org/>
> 
> 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list